transition policy/logic for shell-, perl- and python-scripts

transition policy/logic for shell-, perl- and python-scripts

[Stefan Schulze Frielinghaus]

Hello everyone,

I would like to know the policy/logic for transition of e.g. a
Perl-Script. If I write a daemon in Perl, label the file as
daemon_exec_t and execute it using the initrc_t, then the daemon runs
under the daemon_t domain. This SELinux behavior is very convenient.

I would like to know when and how does a transition for such a script
occur?

For example, create a /tmp/test.pl and run it. The file is labeled as 

unconfined_u:object_r:user_tmp_t:s0

but runs as

unconfined_u:unconfined_r:unconfined_t:s0

Therefore, no type transition occurred. Can someone give me a hind?

cheers,
Stefan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: transition policy/logic for shell-, perl- and python-scripts

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Schulze Frielinghaus wrote:
> Hello everyone,
> 
> I would like to know the policy/logic for transition of e.g. a
> Perl-Script. If I write a daemon in Perl, label the file as
> daemon_exec_t and execute it using the initrc_t, then the daemon runs
> under the daemon_t domain. This SELinux behavior is very convenient.
> 
> I would like to know when and how does a transition for such a script
> occur?
> 
> For example, create a /tmp/test.pl and run it. The file is labeled as 
> 
> unconfined_u:object_r:user_tmp_t:s0
> 
> but runs as
> 
> unconfined_u:unconfined_r:unconfined_t:s0
> 
> Therefore, no type transition occurred. Can someone give me a hind?
> 
> cheers,
> Stefan
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
The default policy for unconfined_t is that it can execute any file type
without a transition.  So a unconfined_t executing a user_tmp_t would
stay unconfined_t.  Similarly initrc_t can execute most bin_t files
without a transition, so initrc_t executing files in a bin directory
with the default labeling will stay bin_t.  Now if you define a file
context for a daemon, daemon_exec_t.  And you define a domain type for
this daemon daemon_t.  You can call an interface

init_daemon_domain(daemon_t, daemon_exec_t)

Which will cause initrc_t to transition to daemon_t when it executes
files labeled daemon_exec_t.  This transition happens when the
executable starts.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklWDzYACgkQrlYvE4MpobMgXACeKGec0qzW2D/W2a2FfTtk2MMG
Fm4AnisJ+7w97Q6eepCyGdUc+cOContp
=Zsgr
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: transition policy/logic for shell-, perl- and python-scripts

[Stefan Schulze Frielinghaus]

On Sat, 2008-12-27 at 12:01 +0100, domg472 g472 wrote:
> A (executable) file is an "entrypoint" for domain transition.
> 
> source domain -> executable files type -> target domain
> 
> but domain transition is not default behaviour. Remember SELinux is
> least privilege
> 
> 1. deny access ( default )
> 2. run the executable file in the source domain (can_exec(source
> domain, executable files type)
> 3. Transition from a source domain to a target domain though a
> executable files type ( domain_auto_trans(source domain, executable
> files type, target domain)
> 
> the unconfined domain is designed to NOT transition. unconfined_t is
> not targeted, in other words it is (for the most part) exempted from
> SELinux.

How do you check if an entrypoint exists? Via security_check_context()?
I couldn't find any other function which could do the job. Or in general
how would you do it programmatically? What set of functions do you
recommend?

cheers,
Stefan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: transition policy/logic for shell-, perl- and python-scripts

[Stephen Smalley]

On Sat, 2008-12-27 at 20:04 +0100, Stefan Schulze Frielinghaus wrote:
> On Sat, 2008-12-27 at 12:01 +0100, domg472 g472 wrote:
> > A (executable) file is an "entrypoint" for domain transition.
> > 
> > source domain -> executable files type -> target domain
> > 
> > but domain transition is not default behaviour. Remember SELinux is
> > least privilege
> > 
> > 1. deny access ( default )
> > 2. run the executable file in the source domain (can_exec(source
> > domain, executable files type)
> > 3. Transition from a source domain to a target domain though a
> > executable files type ( domain_auto_trans(source domain, executable
> > files type, target domain)
> > 
> > the unconfined domain is designed to NOT transition. unconfined_t is
> > not targeted, in other words it is (for the most part) exempted from
> > SELinux.
> 
> How do you check if an entrypoint exists? Via security_check_context()?
> I couldn't find any other function which could do the job. Or in general
> how would you do it programmatically? What set of functions do you
> recommend?

security_compute_create().  See the rpm_execcon() source code in
libselinux/src/rpm.c for an example, or the compute_create sample
utility in libselinux/utils/compute_create.c.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.